CVE-2021-1499 – Cisco HyperFlex HX Data Platform File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2021-1499
A vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform could allow an unauthenticated, remote attacker to upload files to an affected device. This vulnerability is due to missing authentication for the upload function. An attacker could exploit this vulnerability by sending a specific HTTP request to an affected device. A successful exploit could allow the attacker to upload files to the affected device with the permissions of the tomcat8 user. Una vulnerabilidad en la interfaz de administración basada en web de Cisco HyperFlex HX Data Platform, podría permitir a un atacante remoto no autenticado cargar archivos en un dispositivo afectado. • http://packetstormsecurity.com/files/163203/Cisco-HyperFlex-HX-Data-Platform-File-Upload-Remote-Code-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-upload-KtCK8Ugz https://attackerkb.com/assessments/82738621-1114-4aba-990a-9ea007b05834 • CWE-306: Missing Authentication for Critical Function •
CVE-2021-1498 – Cisco HyperFlex HX Data Platform Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-1498
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la interfaz de administración basada en web de Cisco HyperFlex HX, podrían permitir a un atacante remoto no autenticado llevar a cabo ataques de inyección de comandos contra un dispositivo afectado. Para obtener más información sobre estas vulnerabilidades, consulte la sección Detalles de este aviso Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the tomcat8 user. • http://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c https://twitter.com/ptswarm/status/1390300625129201664 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2021-1497 – Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-1497
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Múltiples vulnerabilidades en la interfaz de administración basada en web de Cisco HyperFlex HX, podrían permitir a un atacante remoto no autenticado llevar a cabo ataques de inyección de comandos contra un dispositivo afectado. Para obtener más información sobre estas vulnerabilidades, consulte la sección Detalles de este aviso Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the root user. • http://packetstormsecurity.com/files/162976/Cisco-HyperFlex-HX-Data-Platform-Command-Execution.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-hyperflex-rce-TjjNrkpR https://attackerkb.com/assessments/4f532147-b27b-4079-aed1-5cfdc402cf5c https://twitter.com/ptswarm/status/1390300625129201664 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2019-1857 – Cisco HyperFlex HX-Series Web-Based Management Interface Cross-Site Request Forgery Vulnerability
https://notcve.org/view.php?id=CVE-2019-1857
A vulnerability in the web-based management interface of Cisco HyperFlex HX-Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system by using a web browser and with the privileges of the user. Una vulnerabilidad en la interfaz de administración basada en la web de HyperFlex HX-Series de Cisco, podría permitir a un atacante remoto no identificado dirija un ataque de tipo cross-site request forgery (CSRF) y ejecute acciones arbitrarias en un sistema afectado. • http://www.securityfocus.com/bid/108163 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-hyperflex-csrf • CWE-352: Cross-Site Request Forgery (CSRF) •